Stephane Chazelas was able to pinpoint a bug that lay undiscovered for 21 years.

Shell Shock enables hackers to remotely exploit a vulnerability found in millions of computers, phones and internet devices, such as laptops, light bulbs, thermostats and industrial control systems. Even Android phones and Mac laptops are affected (Apple put out a statement on Saturday saying it was working to put out a patch but that the vast majority of Mac OS X users were not at risk by default unless they configured advanced services).

Whether intelligence agencies or others knew of its existence remains unclear and is unlikely to be confirmed. But Ty Miller, of Sydney firm Threat Intelligence, noted reports that the US government allegedly knew about the Heartbleed vulnerability for many years before it was discovered.

"I would be amazed if governments haven't known about and exploited systems with Shell Shock for years," he said.

It was found in "Bash", a common software component known as a shell in the open source Unix software used by millions of web servers, computers, phones and other internet-connected devices. It allows hackers to take control of a device – such as a web camera or web server – and steal information from it, such as an image or credit card information.

Typical computer users have no need for access to the shell but system administrators and others do. It enables them to issue commands to an operating system without a graphical user interface.

The realisation of the scale and impact of [it] and what I had in my hands was quite scary.

Shell Shock bug finder Stephane Chazelas

When Mr Chazelas found the bug two weeks ago, he reported it to Chet Ramey, the maintainer of the Bash source code, that night.

It was then reported in secret to a select few internet infrastructure providers and Linux distributors, including Debian, Red Hat, Ubuntu, SuSE and Mandriva. This was co-ordinated by Florian Weimer, a Debian contributor who works for Red Hat.

"The realisation of the scale and impact of [it] and what I had in my hands was quite scary," Mr Chazelas, who works for content distribution network Akamai and found the bug in his personal time, told Fairfax Media.

Asked if he told anyone else about his find, he said only his family. "You don't want to tell anybody except the persons who need to know," he said.

"How it's deployed is far more important than the fix itself. I just told my wife and children that I had found a way to hack into many websites without giving details and that I'd be getting my other 10 minutes of fame soon," he quipped about his other moment of glory: making it into a local newspaper for riding a unicycle to work.

"We joked about how much I could sell [the bug] to [spy agencies] GCHQ/NSA, or negotiate a pay raise. But in my mind, there's never been a doubt that the first thing to do was to get it fixed ASAP and minimise the impact. My job as an IT manager is to minimise the risk and put out fires.

"That applies here as well. So I did spend quite some time investigating the bug, the possible ways to exploit it, the possible mitigations [and] ways to detect it at network or host level ... "

He said he found the bug after reflecting on an earlier bug he found in Bash a few months ago.

"After some thorough investigation, I reported it with as much information as possible to a few select Linux distribution security lists and Chet Ramey, the Bash maintainer, on September 9," he said.

"They've all worked hard to make sure a patch was ready on as many systems as possible [and select infrastructure providers were notified] by the time the vulnerability was disclosed on the agreed date yesterday [about 2am Thursday AEST]. That was very professionally handled. I believe the impact was about as minimised as could be, and I'm proud to have contributed to that."

The bug, an error, was introduced by either Chet Ramey or Brian Fox back in 1993, Mr Chazelas said, the maintainers of the source code behind Bash at the time. Both still look after the code today. "In any case, we can hardly blame them for that," Mr Chazelas said.

Fairfax Media is seeking comment from Mr Ramey and Mr Fox.

Mr Ramey told the New York Times on Friday that he believed he inadvertently introduced Shell Shock, though he could not be sure because back then he was not keeping comprehensive logs.

According to Mr Chazelas' resume, he finished high school in 1993 with honours in maths and science. He completed the equivalent to a Masters of Engineering and did advanced maths and physics classes post high school in preparation for competitive entrance examinations to French engineering schools.

He likes unicycling, hiking and paragliding, as wells as guitar, juggling, cooking and family life.

He's worked as a telephone helpdesk support person at Morse Group, at IT consultancy company ALTEN, for Emerson Network Power as an engineer, and as a programmer for Raytheon Systems, which manages the Canadian Automated Air Traffic Control System.